Brute force protection is essential for two-factor authentication, because otherwise the authentication code could just be guessed by an attacker. The bundle doesn't come with a predefined anti brute force solution, but you can easily implement one by listening to the events provided by the bundle.
Register a listener for the scheb_two_factor.authentication.failure event. Log whatever you need (IP, user, etc.)
to detect brute force attacks.
Register a listener for the scheb_two_factor.authentication.attempt event. Execute your brute-force detection logic
and decide if the attempt should be blocked. Since that event is dispatched directly before the two-factor code is
checked, you can prevent that from happening by throwing a new exception of type
Symfony\Component\Security\Core\Exception\AuthenticationException. That exception will be caught by the authentication
layer and the exception message is shown to the user.